Gate with Chain

“Abandon all hope, ye who enter here” is the inscription on the gates to enter Hell, according to Dante’s Inferno. Have we gotten to the same point when using the Internet? Given the latest information regarding the Office of Personnel Management (OPM) data breach, I think the answer is a resounding yes.

To recap the story: it was revealed in early June that a group of hackers gained access to the OPM database which contained a wide range of information on up to 4,000,000 Federal employees, both past and present. This information included everything from basic personal information all the way up to sensitive records regarding performance appraisals and data related to security clearance. The information gained by these attackers could have wide-ranging impact, not only for those whose information has been compromised, but for those as well who could be affected by any potential national security concerns.

Information released just a week later indicates the scope of the people impacted goes far beyond the original numbers; the new reports state that the personal information for all Federal employees and retirees was obtained. As with many news stories, there is always a cloud of uncertainty when new information is released (go back and watch early TV coverage of the 9/11 attacks,) so we have to take new information with a grain of salt and wait to see what the true facts are (as much as are actually reported.)

One of my favorite sayings is that security isn’t convenient and that there always needs to be a balance between the two. When discussing this, I use the analogy of the computer system in the first Mission Impossible movie – the one where Tom Cruise had to lower himself into the room to access it. That system is nice and secure but its accessibility and usefulness are compromised. Will this data breach finally push us over the edge of realizing that maybe our systems are now TOO connected and TOO accessible for our own good?

We’ve seen the focus of IT security move towards an emphasis on early detection and response taking priority over prevention. Is this an indicator that a white flag is being raised when it comes to keeping systems safe and that we should no longer worry about preventive measures? I don’t think that’s the case – we still need to take reasonable, prudent measures to keep the systems secure. But what if it does mean is that if we acknowledge that any connected system will be vulnerable to determined bad actors, then shouldn’t we stop connecting these systems?